[
https://issues.apache.org/jira/browse/LIVY-900?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645808#comment-17645808
]
Larry McCay commented on LIVY-900:
----------------------------------
[~dacort] - thanks for the attachment and attention to this.
I'm thinking that in terms of tracking process, we can:
# create an umbrella Jira for each release to capture child tasks for sets of
CVE dependency upgrades
## I say set as we can try and lump co-dependencies together and/or functional
groups like hive for instance
## If we do this based on the current criticals then we can assign one to
ourselves and start burning them down without stepping on each other
# for 0.8.0, I would suggest we limit it to CRITICAL severity issues only and
in subsequent releases we start with CRITICAL and go into HIGH
# If a dependency fix is across incompatible versions then we need to
determine whether our use of the library is actually vulnerable while leaning
towards addressing it for hygiene reasons either way but perhaps we can put it
off while we try and make the needed changes or a backport of the fix to a
compatible version.
In general, we should be able to address dependabot PRs throughout normal
activities so that hopefully there will be fewer come release time.
Thoughts?
> Security and CVE Remediation Process for 0.8.0
> ----------------------------------------------
>
> Key: LIVY-900
> URL: https://issues.apache.org/jira/browse/LIVY-900
> Project: Livy
> Issue Type: Improvement
> Components: Build
> Reporter: Larry McCay
> Priority: Major
> Fix For: 0.8.0
>
> Attachments: dependency-check-report.html
>
>
> As part of the revival of the Livy project, we indicated that an immediate
> goal would be to establish a process for CVE and dependency hygiene. There
> are a number of ways that we can address this and we need to consider which
> ones would be most appropriate. Off the top of my head:
> * Dependabot is being used in many projects and I believe there are a couple
> different ways to integrate this either at the github or gitbox (ASF) level.
> ** Some automatically create PRs for instance
> * External tooling that can be run such as OWASP dependency-check. I have
> run this locally to discover the currently outstanding upgrades that need to
> be addressed
> FYI - this can be run via mvn:
> mvn org.owasp:dependency-check-maven:7.3.0:aggregate
> I'd like to gather ideas for productive ways to maintain proper dependency
> hygiene and file tasks to get at least some of these done for 0.8.0 release.
> With the remediation of most if not all of the Critical and High CVEs
> addressed.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
